/var/log/virtualmin log files have incorrect owner designations

Some of the virtual servers showed Webalizer reports missing several months of data. I attempted to to generate Webalizer reports and in some cases the reports would fail. I would get message

Running Webalizer to generate report from /var/log/virtualmin/caitech.com_access_log ..

.. Webalizer failed! See the output above for details.

This was not helpful. I researched running Webalizer from the command line and it worked well. Looking into the disparity I realized I was running the command line version as root, and checking the log files in /var/log/virtualmin I first noticed the group was set to apache on all of the files. On page Virtualmin > Logs and Reports > Webalizer Report I changed "Run Webalizer as user" to apache and was able to run a set of reports.

I then looked at the files in /var/log/virtualmin more closely and noticed a very odd collection of owner names. I found one or more instances of the following:

  • Owner the name of the account in Virtualmin (as expected)
  • Owner the name of an ftp user of the related account (user.account)
  • Owner the name of a completely unrelated account (unrelatedaccount)
  • Owner the name of a completely unrelated ftp user (unrelateduser.unrelatedaccount)

I'd like to get these fixed. I can chown all the files in the directory, but how did they get this way in the first place and will chown'ing them cause the next log entry to fail on a permissions problem?

Status: 
Active

Comments

That's odd - those files should all be owned by the domain user, with the group "apache".

For the domains whose files are owned by some un-related user, were these recently renamed, moved under a different owner, or restored from a backup?

None were recently (nor as I recall, ever) renamed, moved under a different owner, or restored from backup.

If you create a new test domain, does it get log files with the right permissions?

Created new domain virtualmintest.com, two files were created in /var/log/virtualmin/ ..._access_log and ..._error_log, both have correct ownership, owner virtualmintest, group apache

How old are the domains with incorrect ownership? It is possible that they were created some time back when a bug existed in Virtualmin that set it wrongly, but which has now been fixed..

The first one was created on 8 May 09, all but one other were created 9&10 May 2009. The last one was created in Aug 09 and it has correct permissions

You may be seeing the remnants of a bug that has been already fixed. Apache and logrotate won't change the ownership on log files, so if they were created months back the wrong ownership would still be there ..

So is there a fix other than backup / delete / recreate / restore?

Oh, to fix your existing files you could just chown them to the correct users. This could be done with a command like :

for dom in \`virtualmin list-domains --name-only\`; do
    user=\`virtualmin list-domains --domain $dom | awk '{ print $2 }' | tail -1\`
    chown $user /var/log/virtualmin/${dom}_*
done

I can do that to change ownership of the existing files.

However I am assuming that if changing ownership of existing files is all I do, when the next log rotate occurs a new file will be created with the existing incorrect ownership.

Is that assumption correct? If so, is there another way to fix the ownership or is the backup / delete / recreate / restore process the only way?

The next log rotation should keep the new correct owership, as logrotate re-creates the files will the current permissions and owner.

This line will output a table with potentially trimmed username:

  user=`virtualmin list-domains --domain $dom | awk '{ print $2 }' | tail -1`

Should instead use a --user-only param:

  user=`virtualmin list-domains --domain $dom --user-only`
eugenevdm.host's picture
Submitted by eugenevdm.host on Thu, 03/19/2020 - 00:02

It appears on an NGINX server all files in /var/log/virtualmin are owned by www-data:www-data meaning that Webalizer doesn't generate it's stats. Manually changing permissions on the log files fixes the problem, but as mentioned by @JamieCameron when the log files are re-generated they have the wrong permissions again. Is there a permanent fix for this issue?

Ilia's picture
Submitted by Ilia on Thu, 03/19/2020 - 07:59

Check Webmin/System/Log File Rotation > Edit Log File > Re-create log file after rotation? and set mode manually.

Does it help?

I spent some time investigating on this as this has always impacted every virtualmin-nginx environment I've dealt with. Looking at the code, it would look like it is intended behavior, probably by mistake. Am I wrong? Shouldn't this be fixed by checking the log path like set_apache_log_permissions does?

/usr/share/webmin/virtualmin-nginx/virtual_feature.pl

sub set_nginx_log_permissions
{
my ($d, $log) = @_;
my $web_user = &get_nginx_user();
my @uinfo = getpwnam($web_user);
my $web_group = getgrgid($uinfo[3]) || $uinfo[3];
&set_ownership_permissions($d->{'uid'}, $web_group, 0660, $log);
}

/usr/share/webmin/virtual-server/feature-web.pl

sub set_apache_log_permissions
{
local ($d, $l) = @_;
local $auser = &get_apache_user($d);
if (&is_under_directory($d->{'home'}, $l)) {
        &set_permissions_as_domain_user($d, 0660, $l);
        }
else {
        my @uinfo = getpwnam($auser);
        my $agroup = getgrgid($uinfo[3]) || $uinfo[3];
        &set_ownership_permissions($d->{'uid'}, $agroup, 0660, $l);
        }
}

It looks like Virtualmin 6.15 includes the fixed code from that commit, but the issue is still occuring. nginx logs were just set to www-data. again after rotation, although "Re-create log file after rotation" is set as "Default (yes, with old permissions)".